this regex
(\[(\w+) (\w+) (\d){1,2} (\d){2}:(\d){2}:(\d){2}\.(\d+) (\d){4}\])
(\[authz_core:error\]) (\[pid (\d+)\]) (\[client
((\d){1,3}\.){3}(\d){1,3}:(\d+)\]) AH(\d+): client denied by server
configuration:.*$
captures everything in log file that you posted this part (\[(\w+) (\w+)
(\d){1,2} (\d){2}:(\d){2}:(\d){2}\.(\d+) (\d){4}\]) is for the date so
we don't need it. These (\[authz_core:error\]) (\[pid (\d+)\]) (\[client
((\d){1,3}\.){3}(\d){1,3}:(\d+)\]) should be taken of by
%(_apache_error_client)s so this leaves this AH(\d+): client denied by
server configuration:.*$
So ^%(_apache_error_client)s AH(\d+): (client denied by server
configuration:).*$ should match anything denied by server configuration.
If you don't get any matches remove the $ from the end and retest the
regex when I added it most of the lines failed to match but that might
be the copy and paste from the email. A good application that helps with
regular expressions is Kodos. I don't run an Apache server so I don't
know if the digits after the "AH" are always 01630 so I just captured
any number of them. Good luck.
On Mon, 2015-09-21 at 01:25 +0800, allanit wrote:
> I have fail2ban 0.8.14 installed on Ubuntu 14.04.2.
>
> My apache-auth jail is not banning. I think I have narrowed this down
> to the regular expression. Below is a line form my apache error log
> but the apache-auth jail does not ban it even though it appears 10
> times in 30 minutes when the maxretry = 4 and the findtime = 21600 or
> 6 hours.
>
> [Sun Sep 20 14:16:29.813946 2015] [authz_core:error] [pid 31999]
> [client 80.252.153.69:18384] AH01630: client denied by server
> configuration:
> /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
>
> Can someone who is good with regular expressions let me know if this
> regular expression should match the log entry above or if it looks
> like it could be something else?
>
> ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server
> configuration: (uri )?\S*\s*$
>
> Thanks in advance. Below is my complete configurat ion for the
> apache-auth.
>
> [apache-auth]
>
> # I set to true to see
> enabled = true
> port = http,https
> filter = apache-auth
> #logpath = /var/log/apache*/*error.log
> logpath = /var/log/virtualmin/*_error_log
> # Search past 6 hour
> findtime = 21600
> # Ban for 2 hours
> bantime = 7200
> maxretry = 4
>
> apache-auth.conf
>
> # Fail2Ban apache-auth filter
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them
> from
> # apache-common.local
> before = apache-common.conf
>
> [Definition]
>
>
> failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client
> denied by server configuration: (uri )?\S*\s*$
> ^%(_apache_error_client)s (AH01617: )?user .* authentication
> failure for "\S*": Password Mismatch$
> ^%(_apa che_error_client)s (AH01618: )?user .* not found(:
> )?\S*\s*$
> ^%(_apache_error_client)s (AH01614: )?client used wrong
> authentication scheme: \S*\s*$
> ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+
> to access \S* failed, reason: .*$
> ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*:
> password mismatch: \S*\s*$
> ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in
> realm `.+' (not found|denied by provider): \S*\s*$
> ^%(_apache_error_client)s (AH01631: )?user .*: authorization
> failure for "\S*":\s*$
> ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid
> nonce .* received - length is not \S+\s*$
> ^%(_apache_error_client )s (AH01788: )?(Digest: )?realm
> mismatch - got `.*' but expected `.+'\s*$
> ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown
> algorithm `.*' received: \S*\s*$
> ^%(_apache_error_client)s (AH01793: )?invalid qop `.*'
> received: \S*\s*$
> ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid
> nonce .* received - user attempted time travel\s*$
>
>
>
> ignoreregex =
>
> # DEV Notes:
> #
> # This filter matches the authorization failures of Apache. It takes
> the log messages
> # from the modules in aaa that return HTTP_UNAUTHORIZED,
> HTTP_METHOD_NOT_ALLOWED or
> # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or
> HTTP_INTERNAL_SERVER_ERROR.
> #
> # An unauthorized response 401 is the first step for a browser to
> instigate authentication
> # however apache doesn't log this as an error. Only subsequent errors
> ar e logged in the
> # error log.
> #
> # Source:
> #
> # By searching the code in
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
> # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting
> return code should get
> # all of these expressions. Lots of submodules like mod_authz_* return
> back to mod_authz_core
> # to return the actual failure.
> #
> # See also: http://wiki.apache.org/httpd/ListOfErrors
> # Expressions that don't have tests and aren't common.
> # more be added with
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
> # ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired
> \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
> # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce
> mismatch - sending new nonce\s*$
> # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*'
> but no realm specifi ed\s*$
> #
> # Author: Cyril Jaquier
> # Major edits by Daniel Black
>
>
> error Log file
>
> [Sun Sep 20 16:56:09.214042 2015] [authz_core:error] [pid 31999]
> [client 80.252.153.69:52200] AH01630: client denied by server
> configuration:
> /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
> [Sun Sep 20 16:56:10.251961 2015] [authz_core:error] [pid 6581]
> [client 80.252.153.69:52254] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
> [Sun Sep 20 16:56:11.390328 2015] [authz_core:error] [pid 5580]
> [client 80.252.153.69:52309] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer:
> http://myserver.com/
> [Sun Sep 20 16:56:12.471485 2015] [authz_core:error] [pid 15976]
> [client 80.252.153.69:52360] AH01630: client denied by server
> configurati on: /home/myserver/public_html/, referer:
> http://myserver.com/
> [Sun Sep 20 17:08:57.736345 2015] [authz_core:error] [pid 8361]
> [client 80.252.153.69:24040] AH01630: client denied by server
> configuration:
> /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
> [Sun Sep 20 17:08:58.840087 2015] [authz_core:error] [pid 15974]
> [client 80.252.153.69:24082] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
> [Sun Sep 20 17:08:59.959748 2015] [authz_core:error] [pid 32002]
> [client 80.252.153.69:24149] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer:
> http://myserver.com/
> [Sun Sep 20 17:09:01.025283 2015] [authz_core:error] [pid 6581]
> [client 80.252.153.69:24195] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer: http://myse
> rver.com/
> [Sun Sep 20 17:24:41.728256 2015] [authz_core:error] [pid 15977]
> [client 80.252.153.69:1426] AH01630: client denied by server
> configuration:
> /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
> [Sun Sep 20 17:24:42.748861 2015] [authz_core:error] [pid 12339]
> [client 80.252.153.69:1472] AH01630: client denied by server
> configuration: /home/myserver/public_html/, referer:
> http://myserver.com/google-analytics-vs-awstats-or-webalizer/
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
